/*
|
|
Copyright 2018 0kims association.
|
|
|
|
This file is part of zksnark JavaScript library.
|
|
|
|
zksnark JavaScript library is a free software: you can redistribute it and/or
|
|
modify it under the terms of the GNU General Public License as published by the
|
|
Free Software Foundation, either version 3 of the License, or (at your option)
|
|
any later version.
|
|
|
|
zksnark JavaScript library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|
more details.
|
|
|
|
You should have received a copy of the GNU General Public License along with
|
|
zksnark JavaScript library. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
const bigInt = require("./bigint.js");
|
|
|
|
const BN128 = require("./bn128.js");
|
|
const PolField = require("./polfield.js");
|
|
const ZqField = require("./zqfield.js");
|
|
const RatField = require("./ratfield.js");
|
|
|
|
const bn128 = new BN128();
|
|
const G1 = bn128.G1;
|
|
const G2 = bn128.G2;
|
|
const PolF = new PolField(new ZqField(bn128.r));
|
|
const RatPolF = new PolField(new RatField(new ZqField(bn128.r)));
|
|
const F = new ZqField(bn128.r);
|
|
|
|
module.exports = function setup(circuit) {
|
|
const setup = {
|
|
vk_proof : {
|
|
nVars: circuit.nVars,
|
|
nPublic: circuit.nPubInputs + circuit.nOutputs
|
|
},
|
|
vk_verifier: {
|
|
nPublic: circuit.nPubInputs + circuit.nOutputs
|
|
},
|
|
toxic: {}
|
|
};
|
|
|
|
calculatePolynomials(setup, circuit);
|
|
setup.toxic.t = F.random();
|
|
calculateEncriptedValuesAtT(setup, circuit);
|
|
calculateHexps(setup, circuit);
|
|
|
|
return setup;
|
|
};
|
|
|
|
function calculatePolynomials(setup, circuit) {
|
|
// Calculate the points that must cross each polynomial
|
|
|
|
/*
|
|
setup.toxic.aExtra = [];
|
|
setup.toxic.bExtra = [];
|
|
setup.toxic.cExtra = [];
|
|
const aPoints = [];
|
|
const bPoints = [];
|
|
const cPoints = [];
|
|
for (let s = 0; s<circuit.nVars; s++) {
|
|
aPoints[s] = [];
|
|
bPoints[s] = [];
|
|
cPoints[s] = [];
|
|
for (let c=0; c<circuit.nConstraints; c++) {
|
|
aPoints[s].push([[bigInt(c), F.one], [circuit.a(c, s), F.one]]);
|
|
bPoints[s].push([[bigInt(c), F.one], [circuit.b(c, s), F.one]]);
|
|
cPoints[s].push([[bigInt(c), F.one], [circuit.c(c, s), F.one]]);
|
|
}
|
|
// Add an extra point to avoid constant polinolials.
|
|
setup.toxic.aExtra[s] = F.random();
|
|
setup.toxic.bExtra[s] = F.random();
|
|
setup.toxic.cExtra[s] = F.random();
|
|
aPoints[s].push([[bigInt(circuit.nConstraints), F.one], [setup.toxic.aExtra[s], F.one]]);
|
|
bPoints[s].push([[bigInt(circuit.nConstraints), F.one], [setup.toxic.bExtra[s], F.one]]);
|
|
cPoints[s].push([[bigInt(circuit.nConstraints), F.one], [setup.toxic.cExtra[s], F.one]]);
|
|
}
|
|
|
|
// Calculate the polynomials using Lagrange
|
|
setup.vk_proof.polsA = [];
|
|
setup.vk_proof.polsB = [];
|
|
setup.vk_proof.polsC = [];
|
|
for (let s=0; s<circuit.nVars; s++) {
|
|
// console.log(`Caclcualte Pol ${s}/${circuit.nVars}`);
|
|
const pA = RatPolF.lagrange( aPoints[s] );
|
|
const pB = RatPolF.lagrange( bPoints[s] );
|
|
const pC = RatPolF.lagrange( cPoints[s] );
|
|
|
|
setup.vk_proof.polsA.push( unrat(pA) );
|
|
setup.vk_proof.polsB.push( unrat(pB) );
|
|
setup.vk_proof.polsC.push( unrat(pC) );
|
|
|
|
}
|
|
*/
|
|
|
|
setup.toxic.aExtra = [];
|
|
setup.toxic.bExtra = [];
|
|
setup.toxic.cExtra = [];
|
|
|
|
let allZerosPol = [bigInt(1)];
|
|
|
|
for (let c=0; c<=circuit.nConstraints; c++) {
|
|
allZerosPol = PolF.mul(allZerosPol, [F.neg(bigInt(c)), F.one]);
|
|
}
|
|
|
|
setup.vk_proof.polsA = [];
|
|
setup.vk_proof.polsB = [];
|
|
setup.vk_proof.polsC = [];
|
|
for (let s = 0; s<circuit.nVars; s++) {
|
|
setup.vk_proof.polsA.push([]);
|
|
setup.vk_proof.polsB.push([]);
|
|
setup.vk_proof.polsC.push([]);
|
|
}
|
|
|
|
for (let c=0; c<circuit.nConstraints; c++) {
|
|
const mpol = PolF.ruffini(allZerosPol, bigInt(c));
|
|
const normalizer = PolF.F.inverse(PolF.eval(mpol, bigInt(c)));
|
|
for (let s = 0; s<circuit.nVars; s++) {
|
|
const factorA = PolF.F.mul(normalizer, circuit.a(c, s));
|
|
const spolA = PolF.mulScalar(mpol, factorA);
|
|
setup.vk_proof.polsA[s] = PolF.add(setup.vk_proof.polsA[s], spolA);
|
|
|
|
const factorB = PolF.F.mul(normalizer, circuit.b(c, s));
|
|
const spolB = PolF.mulScalar(mpol, factorB);
|
|
setup.vk_proof.polsB[s] = PolF.add(setup.vk_proof.polsB[s], spolB);
|
|
|
|
const factorC = PolF.F.mul(normalizer, circuit.c(c, s));
|
|
const spolC = PolF.mulScalar(mpol, factorC);
|
|
setup.vk_proof.polsC[s] = PolF.add(setup.vk_proof.polsC[s], spolC);
|
|
}
|
|
}
|
|
const mpol = PolF.ruffini(allZerosPol, bigInt(circuit.nConstraints));
|
|
const normalizer = PolF.F.inverse(PolF.eval(mpol, bigInt(circuit.nConstraints)));
|
|
for (let s = 0; s<circuit.nVars; s++) {
|
|
setup.toxic.aExtra[s] = F.random();
|
|
const factorA = PolF.F.mul(normalizer, setup.toxic.aExtra[s]);
|
|
const spolA = PolF.mulScalar(mpol, factorA);
|
|
setup.vk_proof.polsA[s] = PolF.add(setup.vk_proof.polsA[s], spolA);
|
|
|
|
setup.toxic.bExtra[s] = F.random();
|
|
const factorB = PolF.F.mul(normalizer, setup.toxic.bExtra[s]);
|
|
const spolB = PolF.mulScalar(mpol, factorB);
|
|
setup.vk_proof.polsB[s] = PolF.add(setup.vk_proof.polsB[s], spolB);
|
|
|
|
setup.toxic.cExtra[s] = F.random();
|
|
const factorC = PolF.F.mul(normalizer, setup.toxic.cExtra[s]);
|
|
const spolC = PolF.mulScalar(mpol, factorC);
|
|
setup.vk_proof.polsC[s] = PolF.add(setup.vk_proof.polsC[s], spolC);
|
|
}
|
|
|
|
|
|
|
|
// Calculate Z polynomial
|
|
// Z = 1
|
|
setup.vk_proof.polZ = [bigInt(1)];
|
|
for (let c=0; c<circuit.nConstraints; c++) {
|
|
// Z = Z * (x - p_c)
|
|
setup.vk_proof.polZ = PolF.mul(
|
|
setup.vk_proof.polZ,
|
|
[F.neg(bigInt(c)), bigInt(1)] );
|
|
}
|
|
}
|
|
|
|
function calculateEncriptedValuesAtT(setup, circuit) {
|
|
setup.vk_proof.A = [];
|
|
setup.vk_proof.B = [];
|
|
setup.vk_proof.C = [];
|
|
setup.vk_proof.Ap = [];
|
|
setup.vk_proof.Bp = [];
|
|
setup.vk_proof.Cp = [];
|
|
setup.vk_proof.Kp = [];
|
|
setup.vk_verifier.A = [];
|
|
|
|
setup.toxic.ka = F.random();
|
|
setup.toxic.kb = F.random();
|
|
setup.toxic.kc = F.random();
|
|
setup.toxic.kbeta = F.random();
|
|
setup.toxic.kgamma = F.random();
|
|
|
|
const gb = F.mul(setup.toxic.kbeta, setup.toxic.kgamma);
|
|
|
|
setup.vk_verifier.vk_a = G2.affine(G2.mulScalar( G2.g, setup.toxic.ka));
|
|
setup.vk_verifier.vk_b = G1.affine(G1.mulScalar( G1.g, setup.toxic.kb));
|
|
setup.vk_verifier.vk_c = G2.affine(G2.mulScalar( G2.g, setup.toxic.kc));
|
|
setup.vk_verifier.vk_gb_1 = G1.affine(G1.mulScalar( G1.g, gb));
|
|
setup.vk_verifier.vk_gb_2 = G2.affine(G2.mulScalar( G2.g, gb));
|
|
setup.vk_verifier.vk_g = G2.affine(G2.mulScalar( G2.g, setup.toxic.kgamma));
|
|
|
|
for (let s=0; s<circuit.nVars; s++) {
|
|
|
|
// A[i] = G1 * polA(t)
|
|
const at = F.affine(PolF.eval(setup.vk_proof.polsA[s], setup.toxic.t));
|
|
const A = G1.affine(G1.mulScalar(G1.g, at));
|
|
|
|
setup.vk_proof.A.push(A);
|
|
|
|
if (s <= setup.vk_proof.nPublic) {
|
|
setup.vk_verifier.A.push(A);
|
|
}
|
|
|
|
|
|
// B1[i] = G1 * polB(t)
|
|
const bt = F.affine(PolF.eval(setup.vk_proof.polsB[s], setup.toxic.t));
|
|
const B1 = G1.affine(G1.mulScalar(G1.g, bt));
|
|
|
|
// B2[i] = G2 * polB(t)
|
|
const B2 = G2.affine(G2.mulScalar(G2.g, bt));
|
|
|
|
setup.vk_proof.B.push(B2);
|
|
|
|
// C[i] = G1 * polC(t)
|
|
const ct = F.affine(PolF.eval(setup.vk_proof.polsC[s], setup.toxic.t));
|
|
const C = G1.affine(G1.mulScalar( G1.g, ct));
|
|
setup.vk_proof.C.push (C);
|
|
|
|
// K = G1 * (A+B+C)
|
|
|
|
const kt = F.affine(F.add(F.add(at, bt), ct));
|
|
const K = G1.affine(G1.mulScalar( G1.g, kt));
|
|
|
|
|
|
|
|
const Ktest = G1.affine(G1.add(G1.add(A, B1), C));
|
|
|
|
if (!G1.equals(K, Ktest)) {
|
|
console.log ("=====FAIL======");
|
|
}
|
|
|
|
|
|
|
|
setup.vk_proof.Ap.push(G1.affine(G1.mulScalar(A, setup.toxic.ka)));
|
|
setup.vk_proof.Bp.push(G1.affine(G1.mulScalar(B1, setup.toxic.kb)));
|
|
setup.vk_proof.Cp.push(G1.affine(G1.mulScalar(C, setup.toxic.kc)));
|
|
setup.vk_proof.Kp.push(G1.affine(G1.mulScalar(K, setup.toxic.kbeta)));
|
|
}
|
|
|
|
setup.vk_verifier.vk_z = G2.affine(G2.mulScalar(
|
|
G2.g,
|
|
PolF.eval(setup.vk_proof.polZ, setup.toxic.t)));
|
|
}
|
|
|
|
function calculateHexps(setup, circuit) {
|
|
let maxA = 0;
|
|
let maxB = 0;
|
|
let maxC = 0;
|
|
for (let s=0; s<circuit.nVars; s++) {
|
|
maxA = Math.max(maxA, setup.vk_proof.polsA[s].length);
|
|
maxB = Math.max(maxB, setup.vk_proof.polsB[s].length);
|
|
maxC = Math.max(maxC, setup.vk_proof.polsC[s].length);
|
|
}
|
|
|
|
let maxFull = Math.max(maxA + maxB - 1, maxC);
|
|
|
|
const maxH = maxFull - setup.vk_proof.polZ.length + 1;
|
|
|
|
setup.vk_proof.hExps = new Array(maxH);
|
|
setup.vk_proof.hExps[0] = G1.g;
|
|
let eT = setup.toxic.t;
|
|
for (let i=1; i<maxH; i++) {
|
|
setup.vk_proof.hExps[i] = G1.affine(G1.mulScalar(G1.g, eT));
|
|
eT = F.mul(eT, setup.toxic.t);
|
|
}
|
|
}
|
|
/*
|
|
function unrat(p) {
|
|
const res = new Array(p.length);
|
|
for (let i=0; i<p.length; i++) {
|
|
res[i] = RatPolF.F.toF(p[i]);
|
|
}
|
|
return res;
|
|
}
|
|
*/
|